Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-08-2024 14:47
Static task
static1
Behavioral task
behavioral1
Sample
8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe
Resource
win10v2004-20240802-en
General
-
Target
8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe
-
Size
1.8MB
-
MD5
19d4b831e5dd11605dedad6373ca39b8
-
SHA1
5b6058633e97812425c3d02b35478d3a03c27188
-
SHA256
8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060
-
SHA512
872d63031169322a829b766a452abae14f38ad9618bb0a52aaa8079ab178cb659a6de03446767f72762dabb6738e050daa3d68f9f8053be8b35e7dac58add9e9
-
SSDEEP
49152:mP+5L+DNleL7usSVou5DhOOroBT9IaRw0:mP+5qZs7usPADhq59J
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
nord
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Extracted
stealc
kora
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Executes dropped EXE 6 IoCs
pid Process 1752 svoutse.exe 668 e1598c2793.exe 1136 facfc2c046.exe 3592 2b6a1acebe.exe 5556 svoutse.exe 6116 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine svoutse.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\e1598c2793.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\e1598c2793.exe" svoutse.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/960-43-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/960-47-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe behavioral2/memory/960-45-0x0000000000400000-0x000000000052D000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2964 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe 1752 svoutse.exe 5556 svoutse.exe 6116 svoutse.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 668 set thread context of 960 668 e1598c2793.exe 85 PID 1136 set thread context of 1380 1136 facfc2c046.exe 87 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\svoutse.job 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1598c2793.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language facfc2c046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b6a1acebe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2964 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe 2964 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe 1752 svoutse.exe 1752 svoutse.exe 5556 svoutse.exe 5556 svoutse.exe 6116 svoutse.exe 6116 svoutse.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1048 firefox.exe Token: SeDebugPrivilege 1048 firefox.exe Token: SeDebugPrivilege 1048 firefox.exe Token: SeDebugPrivilege 1048 firefox.exe Token: SeDebugPrivilege 1048 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2964 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 960 RegAsm.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe 960 RegAsm.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe 1048 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2964 wrote to memory of 1752 2964 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe 81 PID 2964 wrote to memory of 1752 2964 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe 81 PID 2964 wrote to memory of 1752 2964 8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe 81 PID 1752 wrote to memory of 668 1752 svoutse.exe 84 PID 1752 wrote to memory of 668 1752 svoutse.exe 84 PID 1752 wrote to memory of 668 1752 svoutse.exe 84 PID 668 wrote to memory of 960 668 e1598c2793.exe 85 PID 668 wrote to memory of 960 668 e1598c2793.exe 85 PID 668 wrote to memory of 960 668 e1598c2793.exe 85 PID 668 wrote to memory of 960 668 e1598c2793.exe 85 PID 668 wrote to memory of 960 668 e1598c2793.exe 85 PID 668 wrote to memory of 960 668 e1598c2793.exe 85 PID 668 wrote to memory of 960 668 e1598c2793.exe 85 PID 668 wrote to memory of 960 668 e1598c2793.exe 85 PID 668 wrote to memory of 960 668 e1598c2793.exe 85 PID 668 wrote to memory of 960 668 e1598c2793.exe 85 PID 1752 wrote to memory of 1136 1752 svoutse.exe 86 PID 1752 wrote to memory of 1136 1752 svoutse.exe 86 PID 1752 wrote to memory of 1136 1752 svoutse.exe 86 PID 1136 wrote to memory of 1380 1136 facfc2c046.exe 87 PID 1136 wrote to memory of 1380 1136 facfc2c046.exe 87 PID 1136 wrote to memory of 1380 1136 facfc2c046.exe 87 PID 1136 wrote to memory of 1380 1136 facfc2c046.exe 87 PID 1136 wrote to memory of 1380 1136 facfc2c046.exe 87 PID 1136 wrote to memory of 1380 1136 facfc2c046.exe 87 PID 1136 wrote to memory of 1380 1136 facfc2c046.exe 87 PID 1136 wrote to memory of 1380 1136 facfc2c046.exe 87 PID 1136 wrote to memory of 1380 1136 facfc2c046.exe 87 PID 1752 wrote to memory of 3592 1752 svoutse.exe 91 PID 1752 wrote to memory of 3592 1752 svoutse.exe 91 PID 1752 wrote to memory of 3592 1752 svoutse.exe 91 PID 960 wrote to memory of 3324 960 RegAsm.exe 92 PID 960 wrote to memory of 3324 960 RegAsm.exe 92 PID 3324 wrote to memory of 1048 3324 firefox.exe 95 PID 3324 wrote to memory of 1048 3324 firefox.exe 95 PID 3324 wrote to memory of 1048 3324 firefox.exe 95 PID 3324 wrote to memory of 1048 3324 firefox.exe 95 PID 3324 wrote to memory of 1048 3324 firefox.exe 95 PID 3324 wrote to memory of 1048 3324 firefox.exe 95 PID 3324 wrote to memory of 1048 3324 firefox.exe 95 PID 3324 wrote to memory of 1048 3324 firefox.exe 95 PID 3324 wrote to memory of 1048 3324 firefox.exe 95 PID 3324 wrote to memory of 1048 3324 firefox.exe 95 PID 3324 wrote to memory of 1048 3324 firefox.exe 95 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 PID 1048 wrote to memory of 3004 1048 firefox.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe"C:\Users\Admin\AppData\Local\Temp\8e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe"C:\Users\Admin\AppData\Local\Temp\1000001001\e1598c2793.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3c181cf-a857-43b6-9f50-14b4dcc4e416} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" gpu7⤵PID:3004
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a7e0155-1d6c-4ba3-aea8-09e5dbf47d01} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" socket7⤵PID:1100
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3288 -childID 1 -isForBrowser -prefsHandle 3324 -prefMapHandle 3296 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ceb2f84c-6bb2-4bab-8b2d-72cacc511860} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" tab7⤵PID:1468
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3096 -childID 2 -isForBrowser -prefsHandle 4044 -prefMapHandle 4040 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b090283-51cd-485d-92ba-d45bb2cff57d} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" tab7⤵PID:1032
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4864 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4856 -prefMapHandle 4852 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {836c2dee-f468-4365-bad2-9274f6c8f33d} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" utility7⤵
- Checks processor information in registry
PID:5252
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 3 -isForBrowser -prefsHandle 5492 -prefMapHandle 5472 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fe939dd-061b-40bf-86cd-400b5a4de462} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" tab7⤵PID:5784
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 4 -isForBrowser -prefsHandle 5768 -prefMapHandle 5576 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1053e807-3d61-4d01-a435-cf1b4d2062df} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" tab7⤵PID:5828
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5988 -childID 5 -isForBrowser -prefsHandle 5912 -prefMapHandle 5916 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07552a6c-d39a-40ba-ab96-d5990a066e39} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" tab7⤵PID:5840
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -childID 6 -isForBrowser -prefsHandle 5884 -prefMapHandle 5732 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5a0035d-eea5-4262-8868-9ff433624269} 1048 "\\.\pipe\gecko-crash-server-pipe.1048" tab7⤵PID:4368
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\facfc2c046.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1380
-
-
-
C:\Users\Admin\1000003002\2b6a1acebe.exe"C:\Users\Admin\1000003002\2b6a1acebe.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3592
-
-
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5556
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6116
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5278ee1426274818874556aa18fd02e3a
SHA1185a2761330024dec52134df2c8388c461451acb
SHA25637257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA51207ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B
Filesize13KB
MD5090ac46b226bc53563bb7fc8593484f7
SHA16bc4b7a915f51dd999c79036c694d5d54f77f759
SHA256575d3f8fc1406fbec1a4e0e00b8a725f846a9a0133092c7fdee8fe1e5e1e3c1d
SHA5120744f1be023881a8bf8ff1ad05cc6061bb0ad3fd1963a2682c25b533adcefc3227760f4445c6a5a67f1efa7ae303fe18def293f6b1b9f4000b34b4991711d713
-
Filesize
1.8MB
MD519d4b831e5dd11605dedad6373ca39b8
SHA15b6058633e97812425c3d02b35478d3a03c27188
SHA2568e1fe95c10ef4030f56ab87330a85bec404a0e7b20d9821d60f1c7ea0f77d060
SHA512872d63031169322a829b766a452abae14f38ad9618bb0a52aaa8079ab178cb659a6de03446767f72762dabb6738e050daa3d68f9f8053be8b35e7dac58add9e9
-
Filesize
1.2MB
MD521f570b2a3b04bc8c2d031c296413458
SHA172c65436b31fe8d27c00eca9acf9590c7d6fd222
SHA256a4fc1e5a680d5701279a61ada37dc8b19d302c7113e70324caba4156a0f9c2ea
SHA512d0cfc5dfb6d34ad66db0ffc469ea1276f60fe87a58e307e7e2ce887c37413bb09a5fec4b425f4bfef4b8a3a4e6da70e2434f8424797e38bd40fdc1604a8ae874
-
Filesize
206KB
MD51248fcc89f1bcbaa44ea9c47ec824d7e
SHA1a6bd2f5b2ca96bebc8158dd435ffff8d02ff6550
SHA256343da582cbe90421cadbaadbbead3532ec26d82f9b3d297feb8b669d71754c5d
SHA512a96870d51390ab21b188b5b7ba6d3e030cf78fd6d6c75eb93f2dd7f9d1869715db59b894a4165c31b69bf4f05ffcc18a7443df3266145d09b3f873c6a6b984c3
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin
Filesize7KB
MD58b380944df232d2e6e1d27dc7981f1ca
SHA14f445b96ac369eca1232b52f711adb548d831fc6
SHA2567ca7a7f111c3873f84d127839d3c17d0dafc211cb429b3419d85fdf37780ee10
SHA5129162b48decea8a2f226fbf92a0eb3c081a7d7f95ddb16aec6aa9e06eb73bd13bf773806050ea03175d39a749d6868caabcec7c81b64d45a020d7717305f2d126
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\AlternateServices.bin
Filesize10KB
MD5feb4204eed1d6a229a4b3c9050a71b27
SHA1c9e36dba07764befcf1a89cdcb9cdf7b7330073f
SHA2567666d451c152bd658781e37f82148bc211e20f48306a3d89054c1ff12b1b2ae6
SHA5122d4dc1f9ee56ae196686068d725cf87d4a6ecdc0410b612ff7d0d86893d98a800efa28d8ed64882e2f0ebd7ee27588c9b508dcda78218c01042ae8de511c1737
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD53222b159385a88ac302be36506fa8f5f
SHA1f47849edcb7e464dc5263ad31fdcc32932939adb
SHA256ad20262d1ec2452fd53b39a0ffd7e00f43fd02da4f0cad6c90b6530331583b78
SHA512bb35b690637587ec6146a92e764effe5909c428fffe09ef0f60718a1f5f9d41b52ab8722a43f5e8599703467c88e20ea75dec8afca23a5fa5079f22ce28fac3d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD5bce42ea8d22a99e830d448c8b01acde6
SHA12a6cf75a4bcba713e059bcb23fd9440e0a9cb371
SHA2561a3c4675d56121008a1a0b874f30ad7187e1baeddee0f2eb806b31bdf2ee9baa
SHA5127342091e71191f53bfef8960b2fa1505765a9845b5673ab16511f3fa4ea4132f407ffff0581c378cccfee35735d44cd16381f3ae49f6976f508a6d77661255b5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize16KB
MD503ec50456b0d2e1a16a2822013a00d12
SHA191e191fdbf29a6c51fc04d56e24424ff8e62c746
SHA256f715360603efa45777884f15460ba562a86f2dfb1bb04c606ea2c3ea48d2b2cc
SHA512bcc54b4dd9055ac6f7f080186c24b19165cd6abeeccf669d92c3fee01046e3835867f1360e60857d724267f68b6ae57161c223fb66795704bd6f5ecb89517b46
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5793d82b23a32546713a2dcf547f2394d
SHA123a0151e6e3151c8b97a368fadd4def37196ae7f
SHA256bef9f9e5d228009642d30507e2e81c4c50c9059d582c7886fffffddc375e2cf6
SHA512d940d307df184e75887a8b62b09a48bf932ef2f5f4d97c53cfc713160d164cd4b03624f31cf27a10063d36f87aab3f5f63db38ac1bcbf870655239aa0ff2a282
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\4ef9d3be-75df-4466-819c-530ae24e5444
Filesize671B
MD56c56b933ee371ee2cda111c9f8bf8c68
SHA1c76645bca286af8c7539354ff1f064928c1af1c6
SHA2561aca6f3bc4d8021ad7d9806a27863316f5f55484156e8b987e70a9e5c1f892a3
SHA51204330d3308b4246dad57230f2c03195ba9d563b034da23cd2d5929a9adb19db06b188158a8a2f10201e3738363362060be108482187f26a339c153b03506ac4c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\92fb7c83-1c80-4ee0-83ce-792cd2d790a0
Filesize982B
MD558ab79c5633f33dbe59398216fcd694e
SHA17e930ccf8fddc6f6f281cd1247b1d3168162b283
SHA256b52d668f7a76ff30d4f974691dc77894fc06b4c5b20fbae7b515575c81eaf77c
SHA512a7a2e97b31277d18ee4af3d0b0f495fc54ffa6e537768978a3bb241ba920a0bad7c9aafb6637a72427b647f7e445ca48365f8ac784b6322475090220b4ec774b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\datareporting\glean\pending_pings\bf6ec2cc-8c72-470b-a78d-b0ff716de060
Filesize26KB
MD52d2df17f89937905a1e555a2a321356e
SHA1a42bfb905319cd2a9974cb34b0550829e88ad1b8
SHA256e6056e51255b9e10eb9f4eaae0dc6e4983ffdab57a037bd9becfc88be642d1ba
SHA512df9601059045876ffd56232769f0eaaac908c2babe128bec1642766e0f005ac753146f2391593f206c1f014cdaec8eefbb1ed687267fea151c365f8acc9545e1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD57793d64c7b89a107a57b762170429014
SHA1ea6b2838eafc71d656c0332015985ad31e49bc2b
SHA256ba1ed3059ba90292ad7e5664ad1a53c30095e477a105940717fda3108ddad308
SHA512da6d39b3d2b4fdadfdde6c7ad231efb923b91046d680e492ddc7b40d691770ef1058cdb9c7056d5ba591a72f67300502c563340b108740059932b44cbff420c4
-
Filesize
16KB
MD544c777cbd9bceda3c116ba73f2ef7711
SHA1cf0f1bb8135680d6017c35389ffc33300751cee5
SHA25641b13da73c45bf5d99f390721e4adbab8bac1b3d4f4ef574d37a16493d7a355a
SHA5122486c1bad20c4e822942573f3261c03d17005f2ddf0722ef306897e1829432ba8eb6afd0b9f7e192e8aa1cfddc54ba988caf0a9c74d46ab0923ec776fb66a385
-
Filesize
11KB
MD5f36aa16da72af1919f87af610c714175
SHA17695ea000f4dfa360db00dd3c135078f7c084054
SHA25671b93de8b83e4dde9622ac257dcdfb7a873364f235bf2188d7ee1182181f8b37
SHA512187e231148854d54eaa1bce3d5d077baf8fbd9fc0793a7ffe6a777622c6bccc70e296d044bb095dc762e4519d8c4f1f7136e6a71d791ede9a633e0f978cf8c99
-
Filesize
10KB
MD5cea3ba8291ce6f359b15a313600559da
SHA1e9f59b6d4c5356feacb238b1feff58bc2a46a683
SHA2568e55f9b4c5842c5d40598703998c595d2b092e45f8752c989f67fb70f74c521f
SHA512f44e471481812b47b2934a0868692af6009ea9b57c690a03d0079d5a59ea71ef035973e89e0fc48f26efe16f4b90b4e8722db085dc9b49a0e6c596026bbd83c3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rl5fa9qd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.1MB
MD563b2f773c7596a55de1f245b0530b72f
SHA1241c9ae25ff6e41bc273b2320c0fd0e9ea3f8798
SHA2567527acf8ab2602e576ca7e70ab391bfc36c60ad49e807ceebba6ea6f2b52280e
SHA5128f8db765ce9e50d637a6242273d9edf7618d2b2b9374aa6cf8bd36b7869267702afd332583f3a09571e747ca3f3e89c5f9daa94eceb2da44470fb8bc2753bbd8